CyberSecurity in the Rotterdam maritime sector

In this interview, we focus on the team awarded for the ‘Cybersecurity in the Rotterdam Maritime Sector’ project, a crucial achievement under the CS4NL programme’s ‘Supply Chain Security’ call. Funded by TKI Dinalog and led by Erasmus University Rotterdam, their work is instrumental in advancing cyber resilience in the maritime and logistics sectors. Here, the winners of the TKI call share their experiences and the impact of their project on cybersecurity in the Netherlands.

“Could you describe the primary goals of the ‘Cybersecurity in the Rotterdam Maritime Sector’ project and how it is expected to enhance cyber resilience in the maritime sector?”

“The project aims to establish a framework for cyber dependencies among companies involved in maritime operational processes in and around the Port of Rotterdam. It focuses on two central questions: How can cyber vulnerabilities be identified and assessed in the context of complex networks of companies, particularly in typical port processes like ship arrivals, and the storage and transport of fuels and chemicals? And how can a large number of small and medium-sized businesses (SMBs) be effectively involved in the cyber-resilient infrastructure?”

“Could you tell us about the people involved in the ‘Cybersecurity in the Rotterdam Maritime Sector’ project? What are their backgrounds, and what motivates them to commit to cybersecurity in the maritime sector?”

“The central organisation here is FERM. This is a platform organisation appointed to enhance cyber resilience in the port. The project also includes the City of Rotterdam and the provincie Zuid-Holland, aiming to extend cyber resilience across the regional maritime sector. Additionally, several companies with specific maritime or cybersecurity expertise are involved in the project. This includes a platform organisation (Platform Safe Business), specifically responsible for security issues for SMBs in the region. The expertise comes partly from the IT field (ethical hacking, IT development), partly from the maritime field (shipping, ports, maritime research), and partly from the security world (police, security).”

“What specific challenges in maritime cybersecurity have been identified, and what innovative solutions or approaches are being applied to address them?”

“The business network encompasses a very diverse population of companies and organisations. Cyber resilience is a chain competency, and it’s challenging to involve all businesses. How do you do this? The mutual interests influencing the development of a cyber-resilient infrastructure are not always clear. Parties often do not have a full view on all other parties in their business networks and their IT landscapes.”

“How has collaboration with various partners such as Erasmus University Rotterdam, the City of Rotterdam, and private companies contributed to the development and implementation of the project?”

“The collaboration has been longstanding and has covered safety-related themes. Cyber issues are increasingly recognized as important and urgent. This has led to the initiative to take concrete steps towards cyber resilience.”

“Could you elaborate on the SMB integration strategy developed in the project? How is SMB involvement in cyber resilience being enhanced?”

“As mentioned earlier, SMBs are a source of vulnerabilities, and we are dealing with a large number of companies. Our project aims to research effective SMB engagement approaches and then, in collaboration with parties like PvO (Platform Veilig Ondernemen), roll these out in the maritime sector over two years. The approach must be scalable, moving beyond conventional initiatives like information sessions and newsletters.”

“What are the main outcomes of the research to date, and what are the future plans or directions for the development of cyber resilience in the Rotterdam Port?”

“The project is in its initial phase. The first explorations to identify mutual interests are currently underway. We are taking initial steps in concept formation. It’s crucial to involve and query the companies in the complex network. The project will take shape by focusing on a few critical processes in the port, which will be selected by January/February 2024. Within these processes, we will undertake research: chain mapping, mapping cyber dependencies, and identifying the role of SMBs. Special attention will also be given to governance in the cyber domain.”

“How has the CS4NL program contributed to the project, and what is the perceived role of such programs in advancing cybersecurity research and innovation in the Netherlands?”

“The CS4NL program has facilitated parties to connect with a concrete goal in mind, enabling steps that were previously discussed at theme tables. It offers the chance to answer questions that are widely prevalent. The support in networking and choosing a good starting point for the research proposal from CS4NL has been invaluable. Cyber resilience has become more urgent, and the CS4NL program provides an opportunity for corporate Netherlands to take steps in this direction.”

“According to the participants, what are the biggest trends and challenges in cybersecurity for logistic chains, and how is the project preparing for future threats?”

“In the business domain, recurrent cyberattacks have raised alarms. Incidents like the APM Terminals hack and the cyberattacks on Dirkzwager and VOPAK are well-known. The recent position paper by the Port of Rotterdam for the discussion on cyber resilience in the Dutch Parliament on September 6, 2022, also highlights concerns. In the Rotterdam region, a cyber resilience infrastructure is being developed, with new entities like FERM playing a central role. The challenges include a lack of insight into how complex business chains in maritime operational processes result in cyber vulnerabilities and the focus on the large number of SMBs in the maritime domain, some of which perform crucial functions. The urgency of this topic is underscored by the impending implementation of NIS-2 in the Netherlands in 2024, where hundreds of companies will become ‘critical’. These companies will start seeking answers on cyber resilience from their business partners, posing a considerable challenge, especially for SMBs. Additionally, regular cyberattacks and related crimes, such as storage spoofing, are a growing problem.”

On the left Albert Veenstra Professor of Trade and Logistics, Rotterdam School of Management/Erasmus UPT/ Erasmus University Rotterdam and on the right Bas van Bree, Operational Director, TKI Dinalog.